In light of recent data breaches, including a December 2010 incident which affected 2.2 million Honda customers, IT managers need to limit what data is actually shared with cloud service providers.

Corporations partnering with cloud service providers need to
think carefully about what data is being shared to adequately protect consumer
privacy, according to security experts.
As companies outsource various business functions, which can
range from e-mail marketing to e-discovery and e-mail archiving, it's important
to remember that the data leaving the corporate network still needs to be
protected. The protection should be worked in to the contract, ensuring a
standard level of security, before the company hands over the data.

There are many benefits of the cloud, but "all that goes out
the window when there is a data breach," Ben Goodman, principal strategist for
identity, security, and compliance at Novell, told eWEEK. When the cloud
provider gets breached, the company that hired the provider is help
responsible, he said. Companies "outsource the job, not the responsibility,"
Goodman added.

That was the case when an e-mail marketing firm that Honda
partnered with had a data breach in late December. Criminals stole a database
containing names, login names to a Honda portal, e-mail addresses, and
17-character Vehicle Identification Numbers for 2.2 million Honda customers,
according to a Dec. 28 report in Columbus
Dispatch. A separate list of 2.7 million Acura customer e-mail addresses
was also stolen from the same marketing firm, but that list did not have any
other customer data.
The inclusion of VINs in the stole data was surprising, as
Honda shared its customer information with the firm for e-mail marketing
services. People understand that a certain level of "data granularity is
required" when the data is stored on-premise, but when that information
"crosses the firewall," it's not acceptable, said Goodman. Enterprises should
be exercising "minimum disclosure," and not giving external providers "more
data than they need," he said.
Enterprises are "not as concerned as they should be," about
how other providers are using their data, Brian Singer, senior security
management solution manager at Novell, told eWEEK. Honda's relationship with
the e-mail marketing provider was analogous to the one an enterprise would have
with a cloud provider, Singer said, and similar rules applied. Enterprises need
to be careful what data they provide to cloud service providers, because the
providers may not have the kind of security controls that would exist
internally, he said.
"Don't take for granted the provider will secure the data,"
Goodman said.
Companies should discuss security measures such as access
control, network monitoring, and regular audits when negotiating the
partnership, Singer said. It should be clearly part of the contract that the
provider needs to make sure the data is being secured, he said.
There is no reason to just hand over the information as is
to the provider, said Singer, just because it might have taken some extra time
to remove unnecessary data fields from the files. Prior to sending the data, it
needs to be examined to verify that the bare minimum of what the provider needs
is sent, and nothing else, he said. In Honda's case, the VIN numbers clearly
were unnecessary for the firm to send customers a Welcome email after they
bought the car at a dealership, or created an account with Honda Financial
Services.
Cloud applications deployed "under radar" without IT approval
or supervision are also a challenge for IT managers who need to ensure proper
data granularity, Goodman said. "All the effort to put in access control and
security" measures are compromised when the data is being passed on to these
cloud applications without thinking about whether it's really necessary to
share all that information, , Goodman said.
Another concern with cloud service providers is the fact
that they are multi-tenanted, Singer said. It is difficult for the enterprise
to know the extent of a data breach that hits a cloud service providers,
whether the data of one company or multiple companies were compromised by the
breach. "Companies don't know which
companies are affected," he said.